Applying policies to apis for service graph

ABSTRACT

The implementations described herein provide a tool for identifying security issues and applying security policies to the service(s) and/or microservices. Rather than a user (such as an administrator) reactively diagnosing security incidents, the systems and methods described herein may provide a tool by which the user can proactively monitor the use of the services and microservices for security issues and control the user of such microservices and services via policies. The systems and methods allow API granular policy control to determine which APIs may be granted or denies access based on a variety of criteria, such as but not limited to the source of the request, the specific API being called, temporal conditions, geography and so forth. The user can identify security concerns or issues on a per API basis.

FIELD OF THE DISCLOSURE

The present application generally relates to service graphs, includingbut not limited to systems and methods for applying security policies touse of microservices and application programming interfaces (APIs) tomicroservices.

BACKGROUND

Various services may be used, accessed, or otherwise provided to users.Such services may include microservices which perform a subset of tasksor functions which, collectively, provide the service to the user.Microservice(s) may have multiple application programming interfaces(APIs). Some programs or users may access such microservices via theseAPIs that should not access such microservices or use such APIs.

SUMMARY

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features, nor is it intended to limit the scope of the claimsincluded herewith.

The present disclosure is directed to systems and methods of identifyingsecurity issues and applying security policies to the service(s) and/ormicroservices. Rather than a user (such as an administrator) reactivelydiagnosing security incidents, the systems and methods described hereinmay provide a tool by which the user can proactively monitor the use ofthe services and microservices for security issues and control the userof such microservices and services via policies. The systems and methodsallow API granular policy control to determine which APIs may be grantedor denies access based on a variety of criteria, such as but not limitedto the source of the request, the specific API being called, temporalconditions, geography and so forth. The user can identify securityconcerns or issues on a per API basis.

Described herein is a method for applying a policy to an applicationprogramming interface of a microservice. In the method, a deviceintermediary to a plurality of microservices identifies a policy foraccessing an application programming interface (API) of a microservice.The policy identifies which of the other microservices may access theAPI of the microservice. The device receives one or more requests fromone or more microservices to access the API of the microservice. Thedevice determines, responsive to the policy, that at least one requestis from a microservice not allowed to access the API. The deviceprevents the request from accessing microservice.

The method may include receiving, by the device, a request from a sourceother than the plurality of microservices to access the API of themicroservice. The source may be a device external to a network of theplurality of microservices. The method may include the device blockingthe request responsive to the policy. The method may include the deviceidentifying a request to access the API of the microservice from asecond microservice as allowed, responsive to the policy. The method mayinclude the device forwarding the second allowed request to themicroservice.

The method may include generating, by the device, a service graphcomprising a plurality of microservices and one or more links betweenone or more microservices and the microservice. The method may includedisplaying by the device the service graph identifying one or moredevice actions responsive to the policy and in association with acorresponding link to the microservice. The method may further includedisplaying the service graph with one or more user interface elements.The user interface elements may take an action with respect to the linkwith respect to one or more requests. The action may be quarantining,preventing access, releasing, or adding a second policy.

The method may include generating, by the device, a service graph. Theservice graph may include the plurality of microservices and one or morelinks allowed by the policy between one of the other microservices andthe microservice. The method may include displaying, by the device, theservice graph with an identification of the one or more links to themicroservice allowed by the policy.

Described herein is a system for applying a policy to an applicationprogramming interface of a microservice. The system may include a devicecomprising one or more processors, coupled to memory, and intermediaryto a plurality of microservices. The device may be configured toidentify a policy for accessing an application programming interface(API) of a microservice of a plurality of microservices. The policy mayidentify which other of the plurality of microservices may access theAPI of the microservice. The device may be configured to receive one ormore requests from one or more microservices of the plurality ofmicroservices to access the API of the microservice. The device may beconfigured to determine, responsive to the policy, that at least onerequest of the one or more requests is from a microservice not allowedto access the API of the microservice. The device may be configured toprevent, responsive to the determination, access to the microservice bythe at least one request.

The device may be further configured to receive a request from a sourceother than the plurality of microservices to access the API of themicroservice. The source may comprise a device external to a network ofthe plurality of microservices. The device may be configured to blockthe request responsive to the policy.

The device may be configured to identify, responsive to the policy, thata second request to access the API of the microservice is from a secondmicroservice identified as allowed to access the microservice. Thedevice may be configured to forward the second request to themicroservice.

The device may be configured to generate a service graph comprising theplurality of microservices and one or more links between the one or moreof the other of the plurality of microservices and the microservice. Thedevice may be configured to display the service graph withidentification of one or more actions of the device responsive to thepolicy in association with a corresponding link to the microservice.

The device may be configured to display the service graph with one ormore user interface elements to take an action with respect to the linkwith respect to the one or more requests. The action may be one ofquarantining, preventing access, releasing or adding a second policy.

The device may be configured to generate a service graph comprising theplurality of microservices and one or more links allowed by the policybetween the one or more of the other of the plurality of microservicesand the microservice. The device may be configured to display theservice graph with identification of the one or more links to themicroservice allowed by the policy

BRIEF DESCRIPTION OF THE DRAWING FIGURES

Objects, aspects, features, and advantages of embodiments disclosedherein will become more fully apparent from the following detaileddescription, the appended claims, and the accompanying drawing figuresin which like reference numerals identify similar or identical elements.Reference numerals that are introduced in the specification inassociation with a drawing figure may be repeated in one or moresubsequent figures without additional description in the specificationin order to provide context for other features, and not every elementmay be labeled in every figure. The drawing figures are not necessarilyto scale, emphasis instead being placed upon illustrating embodiments,principles and concepts. The drawings are not intended to limit thescope of the claims included herewith.

FIG. 1A is a block diagram of a network computing system, in accordancewith an illustrative embodiment;

FIG. 1B is a block diagram of a network computing system for deliveringa computing environment from a server to a client via an appliance, inaccordance with an illustrative embodiment;

FIG. 1C is a block diagram of a computing device, in accordance with anillustrative embodiment;

FIG. 2 is a block diagram of an appliance for processing communicationsbetween a client and a server, in accordance with an illustrativeembodiment;

FIG. 3 is a block diagram of a virtualization environment, in accordancewith an illustrative embodiment;

FIG. 4 is a block diagram of a cluster system, in accordance with anillustrative embodiment;

FIG. 5A is a block diagram of a service graph based system, inaccordance with an illustrative embodiment;

FIG. 5B is a block diagram of a service graph, in accordance with anillustrative embodiment;

FIG. 5C is a flow diagram of a method of using a service graph, inaccordance with an illustrative embodiment;

FIG. 6A is an example user interface displaying missing nodes or linksof a service graph, in accordance with an illustrative embodiment; and

FIG. 6B is a flow diagram of a method for identifying missing nodes orlinks of a service graph, in accordance with an illustrative embodiment.

DETAILED DESCRIPTION

For purposes of reading the description of the various embodimentsbelow, the following descriptions of the sections of the specificationand their respective contents may be helpful:

Section A describes a network environment and computing environmentwhich may be useful for practicing embodiments described herein;

Section B describes embodiments of systems and methods for delivering acomputing environment to a remote user;

Section C describes embodiments of systems and methods for virtualizingan application delivery controller;

Section D describes embodiments of systems and methods for providing aclustered appliance architecture environment; and

Section E describes embodiments of a service graph based platform andtechnology; and

Section F describes embodiments of systems and methods for replaying aservice graph of a plurality of microservices.

A. Network and Computing Environment

Referring to FIG. 1A, an illustrative network environment 100 isdepicted. Network environment 100 may include one or more clients102(1)-102(n) (also generally referred to as local machine(s) 102 orclient(s) 102) in communication with one or more servers 106(1)-106(n)(also generally referred to as remote machine(s) 106 or server(s) 106)via one or more networks 104(1)-104 n (generally referred to asnetwork(s) 104). In some embodiments, a client 102 may communicate witha server 106 via one or more appliances 200(1)-200 n (generally referredto as appliance(s) 200 or gateway(s) 200).

Although the embodiment shown in FIG. 1A shows one or more networks 104between clients 102 and servers 106, in other embodiments, clients 102and servers 106 may be on the same network 104. The various networks 104may be the same type of network or different types of networks. Forexample, in some embodiments, network 104(1) may be a private networksuch as a local area network (LAN) or a company Intranet, while network104(2) and/or network 104(n) may be a public network, such as a widearea network (WAN) or the Internet. In other embodiments, both network104(1) and network 104(n) may be private networks. Networks 104 mayemploy one or more types of physical networks and/or network topologies,such as wired and/or wireless networks, and may employ one or morecommunication transport protocols, such as transmission control protocol(TCP), internet protocol (IP), user datagram protocol (UDP) or othersimilar protocols.

As shown in FIG. 1A, one or more appliances 200 may be located atvarious points or in various communication paths of network environment100. For example, appliance 200 may be deployed between two networks104(1) and 104(2), and appliances 200 may communicate with one anotherto work in conjunction to, for example, accelerate network trafficbetween clients 102 and servers 106. In other embodiments, the appliance200 may be located on a network 104. For example, appliance 200 may beimplemented as part of one of clients 102 and/or servers 106. In anembodiment, appliance 200 may be implemented as a network device such asCitrix networking (formerly NetScaler®) products sold by Citrix Systems,Inc. of Fort Lauderdale, Fla.

As shown in FIG. 1A, one or more servers 106 may operate as a serverfarm 38. Servers 106 of server farm 38 may be logically grouped, and mayeither be geographically co-located (e.g., on premises) orgeographically dispersed (e.g., cloud based) from clients 102 and/orother servers 106. In an embodiment, server farm 38 executes one or moreapplications on behalf of one or more of clients 102 (e.g., as anapplication server), although other uses are possible, such as a fileserver, gateway server, proxy server, or other similar server uses.Clients 102 may seek access to hosted applications on servers 106.

As shown in FIG. 1A, in some embodiments, appliances 200 may include, bereplaced by, or be in communication with, one or more additionalappliances, such as WAN optimization appliances 205(1)-205(n), referredto generally as WAN optimization appliance(s) 205. For example, WANoptimization appliance 205 may accelerate, cache, compress or otherwiseoptimize or improve performance, operation, flow control, or quality ofservice of network traffic, such as traffic to and/or from a WANconnection, such as optimizing Wide Area File Services (WAFS),accelerating Server Message Block (SMB) or Common Internet File System(CIFS). In some embodiments, appliance 205 may be a performanceenhancing proxy or a WAN optimization controller. In one embodiment,appliance 205 may be implemented as Citrix SD-WAN products sold byCitrix Systems, Inc. of Fort Lauderdale, Fla.

Referring to FIG. 1B, an example network environment, 100′, fordelivering and/or operating a computing network environment on a client102 is shown. As shown in FIG. 1B, a server 106 may include anapplication delivery system 190 for delivering a computing environment,application, and/or data files to one or more clients 102. Client 102may include client agent 120 and computing environment 15. Computingenvironment 15 may execute or operate an application, 16, that accesses,processes or uses a data file 17. Computing environment 15, application16 and/or data file 17 may be delivered via appliance 200 and/or theserver 106.

Appliance 200 may accelerate delivery of all or a portion of computingenvironment 15 to a client 102, for example by the application deliverysystem 190. For example, appliance 200 may accelerate delivery of astreaming application and data file processable by the application froma data center to a remote user location by accelerating transport layertraffic between a client 102 and a server 106. Such acceleration may beprovided by one or more techniques, such as: 1) transport layerconnection pooling, 2) transport layer connection multiplexing, 3)transport control protocol buffering, 4) compression, 5) caching, orother techniques. Appliance 200 may also provide load balancing ofservers 106 to process requests from clients 102, act as a proxy oraccess server to provide access to the one or more servers 106, providesecurity and/or act as a firewall between a client 102 and a server 106,provide Domain Name Service (DNS) resolution, provide one or morevirtual servers or virtual internet protocol servers, and/or provide asecure virtual private network (VPN) connection from a client 102 to aserver 106, such as a secure socket layer (SSL) VPN connection and/orprovide encryption and decryption operations.

Application delivery management system 190 may deliver computingenvironment 15 to a user (e.g., client 102), remote or otherwise, basedon authentication and authorization policies applied by policy engine195. A remote user may obtain a computing environment and access toserver stored applications and data files from any network-connecteddevice (e.g., client 102). For example, appliance 200 may request anapplication and data file from server 106. In response to the request,application delivery system 190 and/or server 106 may deliver theapplication and data file to client 102, for example via an applicationstream to operate in computing environment 15 on client 102, or via aremote-display protocol or otherwise via remote-based or server-basedcomputing. In an embodiment, application delivery system 190 may beimplemented as any portion of the Citrix Workspace Suite™ by CitrixSystems, Inc., such as Citrix Virtual Apps and Desktops (formerlyXenApp® and XenDesktop®).

Policy engine 195 may control and manage the access to, and executionand delivery of, applications. For example, policy engine 195 maydetermine the one or more applications a user or client 102 may accessand/or how the application should be delivered to the user or client102, such as a server-based computing, streaming or delivering theapplication locally to the client 120 for local execution.

For example, in operation, a client 102 may request execution of anapplication (e.g., application 16′) and application delivery system 190of server 106 determines how to execute application 16′, for examplebased upon credentials received from client 102 and a user policyapplied by policy engine 195 associated with the credentials. Forexample, application delivery system 190 may enable client 102 toreceive application-output data generated by execution of theapplication on a server 106, may enable client 102 to execute theapplication locally after receiving the application from server 106, ormay stream the application via network 104 to client 102. For example,in some embodiments, the application may be a server-based or aremote-based application executed on server 106 on behalf of client 102.Server 106 may display output to client 102 using a thin-client orremote-display protocol, such as the Independent Computing Architecture(ICA) protocol by Citrix Systems, Inc. of Fort Lauderdale, Fla. Theapplication may be any application related to real-time datacommunications, such as applications for streaming graphics, streamingvideo and/or audio or other data, delivery of remote desktops orworkspaces or hosted services or applications, for exampleinfrastructure as a service (IaaS), desktop as a service (DaaS),workspace as a service (WaaS), software as a service (SaaS) or platformas a service (PaaS).

One or more of servers 106 may include a performance monitoring serviceor agent 197. In some embodiments, a dedicated one or more servers 106may be employed to perform performance monitoring. Performancemonitoring may be performed using data collection, aggregation,analysis, management and reporting, for example by software, hardware ora combination thereof. Performance monitoring may include one or moreagents for performing monitoring, measurement and data collectionactivities on clients 102 (e.g., client agent 120), servers 106 (e.g.,agent 197) or an appliance 200 and/or 205 (agent not shown). In general,monitoring agents (e.g., 120 and/or 197) execute transparently (e.g., inthe background) to any application and/or user of the device. In someembodiments, monitoring agent 197 includes any of the productembodiments referred to as Citrix Analytics or Citrix ApplicationDelivery Management by Citrix Systems, Inc. of Fort Lauderdale, Fla.

The monitoring agents 120 and 197 may monitor, measure, collect, and/oranalyze data on a predetermined frequency, based upon an occurrence ofgiven event(s), or in real time during operation of network environment100. The monitoring agents may monitor resource consumption and/orperformance of hardware, software, and/or communications resources ofclients 102, networks 104, appliances 200 and/or 205, and/or servers106. For example, network connections such as a transport layerconnection, network latency, bandwidth utilization, end-user responsetimes, application usage and performance, session connections to anapplication, cache usage, memory usage, processor usage, storage usage,database transactions, client and/or server utilization, active users,duration of user activity, application crashes, errors, or hangs, thetime required to log-in to an application, a server, or the applicationdelivery system, and/or other performance conditions and metrics may bemonitored.

The monitoring agents 120 and 197 may provide application performancemanagement for application delivery system 190. For example, based uponone or more monitored performance conditions or metrics, applicationdelivery system 190 may be dynamically adjusted, for exampleperiodically or in real-time, to optimize application delivery byservers 106 to clients 102 based upon network environment performanceand conditions.

In described embodiments, clients 102, servers 106, and appliances 200and 205 may be deployed as and/or executed on any type and form ofcomputing device, such as any desktop computer, laptop computer, ormobile device capable of communication over at least one network andperforming the operations described herein. For example, clients 102,servers 106 and/or appliances 200 and 205 may each correspond to onecomputer, a plurality of computers, or a network of distributedcomputers such as computer 101 shown in FIG. 1C.

As shown in FIG. 1C, computer 101 may include one or more processors103, volatile memory 122 (e.g., RAM), non-volatile memory 128 (e.g., oneor more hard disk drives (HDDs) or other magnetic or optical storagemedia, one or more solid state drives (SSDs) such as a flash drive orother solid state storage media, one or more hybrid magnetic and solidstate drives, and/or one or more virtual storage volumes, such as acloud storage, or a combination of such physical storage volumes andvirtual storage volumes or arrays thereof), user interface (UI) 123, oneor more communications interfaces 118, and communication bus 150. Userinterface 123 may include graphical user interface (GUI) 124 (e.g., atouchscreen, a display, etc.) and one or more input/output (I/O) devices126 (e.g., a mouse, a keyboard, etc.). Non-volatile memory 128 storesoperating system 115, one or more applications 116, and data 117 suchthat, for example, computer instructions of operating system 115 and/orapplications 116 are executed by processor(s) 103 out of volatile memory122. Data may be entered using an input device of GUI 124 or receivedfrom I/O device(s) 126. Various elements of computer 101 may communicatevia communication bus 150. Computer 101 as shown in FIG. 1C is shownmerely as an example, as clients 102, servers 106 and/or appliances 200and 205 may be implemented by any computing or processing environmentand with any type of machine or set of machines that may have suitablehardware and/or software capable of operating as described herein.

Processor(s) 103 may be implemented by one or more programmableprocessors executing one or more computer programs to perform thefunctions of the system. As used herein, the term “processor” describesan electronic circuit that performs a function, an operation, or asequence of operations. The function, operation, or sequence ofoperations may be hard coded into the electronic circuit or soft codedby way of instructions held in a memory device. A “processor” mayperform the function, operation, or sequence of operations using digitalvalues or using analog signals. In some embodiments, the “processor” canbe embodied in one or more application specific integrated circuits(ASICs), microprocessors, digital signal processors, microcontrollers,field programmable gate arrays (FPGAs), programmable logic arrays(PLAs), multi-core processors, or general-purpose computers withassociated memory. The “processor” may be analog, digital ormixed-signal. In some embodiments, the “processor” may be one or morephysical processors or one or more “virtual” (e.g., remotely located or“cloud”) processors.

Communications interfaces 118 may include one or more interfaces toenable computer 101 to access a computer network such as a LAN, a WAN,or the Internet through a variety of wired and/or wireless or cellularconnections.

In described embodiments, a first computing device 101 may execute anapplication on behalf of a user of a client computing device (e.g., aclient 102), may execute a virtual machine, which provides an executionsession within which applications execute on behalf of a user or aclient computing device (e.g., a client 102), such as a hosted desktopsession, may execute a terminal services session to provide a hosteddesktop environment, or may provide access to a computing environmentincluding one or more of: one or more applications, one or more desktopapplications, and one or more desktop sessions in which one or moreapplications may execute.

B. Appliance Architecture

FIG. 2 shows an example embodiment of appliance 200. As describedherein, appliance 200 may be implemented as a server, gateway, router,switch, bridge or other type of computing or network device. As shown inFIG. 2, an embodiment of appliance 200 may include a hardware layer 206and a software layer 205 divided into a user space 202 and a kernelspace 204. Hardware layer 206 provides the hardware elements upon whichprograms and services within kernel space 204 and user space 202 areexecuted and allow programs and services within kernel space 204 anduser space 202 to communicate data both internally and externally withrespect to appliance 200. As shown in FIG. 2, hardware layer 206 mayinclude one or more processing units 262 for executing software programsand services, memory 264 for storing software and data, network ports266 for transmitting and receiving data over a network, and encryptionprocessor 260 for encrypting and decrypting data such as in relation toSecure Socket Layer (SSL) or Transport Layer Security (TLS) processingof data transmitted and received over the network.

An operating system of appliance 200 allocates, manages, or otherwisesegregates the available system memory into kernel space 204 and userspace 202. Kernel space 204 is reserved for running kernel 230,including any device drivers, kernel extensions or other kernel relatedsoftware. As known to those skilled in the art, kernel 230 is the coreof the operating system, and provides access, control, and management ofresources and hardware-related elements of application 104. Kernel space204 may also include a number of network services or processes workingin conjunction with cache manager 232.

Appliance 200 may include one or more network stacks 267, such as aTCP/IP based stack, for communicating with client(s) 102, server(s) 106,network(s) 104, and/or other appliances 200 or 205. For example,appliance 200 may establish and/or terminate one or more transport layerconnections between clients 102 and servers 106. Each network stack 267may include a buffer 243 for queuing one or more network packets fortransmission by appliance 200.

Kernel space 204 may include cache manager 232, packet engine 240,encryption engine 234, policy engine 236 and compression engine 238. Inother words, one or more of processes 232, 240, 234, 236 and 238 run inthe core address space of the operating system of appliance 200, whichmay reduce the number of data transactions to and from the memory and/orcontext switches between kernel mode and user mode, for example sincedata obtained in kernel mode may not need to be passed or copied to auser process, thread or user level data structure.

Cache manager 232 may duplicate original data stored elsewhere or datapreviously computed, generated or transmitted to reducing the accesstime of the data. In some embodiments, the cache memory may be a dataobject in memory 264 of appliance 200, or may be a physical memoryhaving a faster access time than memory 264.

Policy engine 236 may include a statistical engine or otherconfiguration mechanism to allow a user to identify, specify, define orconfigure a caching policy and access, control and management ofobjects, data or content being cached by appliance 200, and define orconfigure security, network traffic, network access, compression orother functions performed by appliance 200.

Encryption engine 234 may process any security related protocol, such asSSL or TLS. For example, encryption engine 234 may encrypt and decryptnetwork packets, or any portion thereof, communicated via appliance 200,may setup or establish SSL, TLS or other secure connections, for examplebetween client 102, server 106, and/or other appliances 200 or 205. Insome embodiments, encryption engine 234 may use a tunneling protocol toprovide a VPN between a client 102 and a server 106. In someembodiments, encryption engine 234 is in communication with encryptionprocessor 260. Compression engine 238 compresses network packetsbi-directionally between clients 102 and servers 106 and/or between oneor more appliances 200.

Packet engine 240 may manage kernel-level processing of packets receivedand transmitted by appliance 200 via network stacks 267 to send andreceive network packets via network ports 266. Packet engine 240 mayoperate in conjunction with encryption engine 234, cache manager 232,policy engine 236 and compression engine 238, for example to performencryption/decryption, traffic management such as request-level contentswitching and request-level cache redirection, and compression anddecompression of data.

User space 202 is a memory area or portion of the operating system usedby user mode applications or programs otherwise running in user mode. Auser mode application may not access kernel space 204 directly and usesservice calls in order to access kernel services. User space 202 mayinclude graphical user interface (GUI) 210, a command line interface(CLI) 212, shell services 214, health monitor 216, and daemon services218. GUI 210 and CLI 212 enable a system administrator or other user tointeract with and control the operation of appliance 200, such as viathe operating system of appliance 200. Shell services 214 include theprograms, services, tasks, processes or executable instructions tosupport interaction with appliance 200 by a user via the GUI 210 and/orCLI 212.

Health monitor 216 monitors, checks, reports and ensures that networksystems are functioning properly and that users are receiving requestedcontent over a network, for example by monitoring activity of appliance200. In some embodiments, health monitor 216 intercepts and inspects anynetwork traffic passed via appliance 200. For example, health monitor216 may interface with one or more of encryption engine 234, cachemanager 232, policy engine 236, compression engine 238, packet engine240, daemon services 218, and shell services 214 to determine a state,status, operating condition, or health of any portion of the appliance200. Further, health monitor 216 may determine if a program, process,service or task is active and currently running, check status, error orhistory logs provided by any program, process, service or task todetermine any condition, status or error with any portion of appliance200. Additionally, health monitor 216 may measure and monitor theperformance of any application, program, process, service, task orthread executing on appliance 200.

Daemon services 218 are programs that run continuously or in thebackground and handle periodic service requests received by appliance200. In some embodiments, a daemon service may forward the requests toother programs or processes, such as another daemon service 218 asappropriate.

As described herein, appliance 200 may relieve servers 106 of much ofthe processing load caused by repeatedly opening and closing transportlayer connections to clients 102 by opening one or more transport layerconnections with each server 106 and maintaining these connections toallow repeated data accesses by clients via the Internet (e.g.,“connection pooling”). To perform connection pooling, appliance 200 maytranslate or multiplex communications by modifying sequence numbers andacknowledgment numbers at the transport layer protocol level (e.g.,“connection multiplexing”). Appliance 200 may also provide switching orload balancing for communications between the client 102 and server 106.

As described herein, each client 102 may include client agent 120 forestablishing and exchanging communications with appliance 200 and/orserver 106 via a network 104. Client 102 may have installed and/orexecute one or more applications that are in communication with network104. Client agent 120 may intercept network communications from anetwork stack used by the one or more applications. For example, clientagent 120 may intercept a network communication at any point in anetwork stack and redirect the network communication to a destinationdesired, managed or controlled by client agent 120, for example tointercept and redirect a transport layer connection to an IP address andport controlled or managed by client agent 120. Thus, client agent 120may transparently intercept any protocol layer below the transportlayer, such as the network layer, and any protocol layer above thetransport layer, such as the session, presentation or applicationlayers. Client agent 120 can interface with the transport layer tosecure, optimize, accelerate, route or load-balance any communicationsprovided via any protocol carried by the transport layer.

In some embodiments, client agent 120 is implemented as an IndependentComputing Architecture (ICA) client developed by Citrix Systems, Inc. ofFort Lauderdale, Fla. Client agent 120 may perform acceleration,streaming, monitoring, and/or other operations. For example, clientagent 120 may accelerate streaming an application from a server 106 to aclient 102. Client agent 120 may also perform end-pointdetection/scanning and collect end-point information about client 102for appliance 200 and/or server 106. Appliance 200 and/or server 106 mayuse the collected information to determine and provide access,authentication and authorization control of the client's connection tonetwork 104. For example, client agent 120 may identify and determineone or more client-side attributes, such as: the operating system and/ora version of an operating system, a service pack of the operatingsystem, a running service, a running process, a file, presence orversions of various applications of the client, such as antivirus,firewall, security, and/or other software.

C. Systems and Methods for Providing Virtualized Application DeliveryController

Referring now to FIG. 3, a block diagram of a virtualized environment300 is shown. As shown, a computing device 302 in virtualizedenvironment 300 includes a virtualization layer 303, a hypervisor layer304, and a hardware layer 307. Hypervisor layer 304 includes one or morehypervisors (or virtualization managers) 301 that allocates and managesaccess to a number of physical resources in hardware layer 307 (e.g.,physical processor(s) 321 and physical disk(s) 328) by at least onevirtual machine (VM) (e.g., one of VMs 306) executing in virtualizationlayer 303. Each VM 306 may include allocated virtual resources such asvirtual processors 332 and/or virtual disks 342, as well as virtualresources such as virtual memory and virtual network interfaces. In someembodiments, at least one of VMs 306 may include a control operatingsystem (e.g., 305) in communication with hypervisor 301 and used toexecute applications for managing and configuring other VMs (e.g., guestoperating systems 310) on device 302.

In general, hypervisor(s) 301 may provide virtual resources to anoperating system of VMs 306 in any manner that simulates the operatingsystem having access to a physical device. Thus, hypervisor(s) 301 maybe used to emulate virtual hardware, partition physical hardware,virtualize physical hardware, and execute virtual machines that provideaccess to computing environments. In an illustrative embodiment,hypervisor(s) 301 may be implemented as a Citrix Hypervisor by CitrixSystems, Inc. of Fort Lauderdale, Fla. In an illustrative embodiment,device 302 executing a hypervisor that creates a virtual machineplatform on which guest operating systems may execute is referred to asa host server. 302

Hypervisor 301 may create one or more VMs 306 in which an operatingsystem (e.g., control operating system 305 and/or guest operating system310) executes. For example, the hypervisor 301 loads a virtual machineimage to create VMs 306 to execute an operating system. Hypervisor 301may present VMs 306 with an abstraction of hardware layer 307, and/ormay control how physical capabilities of hardware layer 307 arepresented to VMs 306. For example, hypervisor(s) 301 may manage a poolof resources distributed across multiple physical computing devices.

In some embodiments, one of VMs 306 (e.g., the VM executing controloperating system 305) may manage and configure other of VMs 306, forexample by managing the execution and/or termination of a VM and/ormanaging allocation of virtual resources to a VM. In variousembodiments, VMs may communicate with hypervisor(s) 301 and/or other VMsvia, for example, one or more Application Programming Interfaces (APIs),shared memory, and/or other techniques.

In general, VMs 306 may provide a user of device 302 with access toresources within virtualized computing environment 300, for example, oneor more programs, applications, documents, files, desktop and/orcomputing environments, or other resources. In some embodiments, VMs 306may be implemented as fully virtualized VMs that are not aware that theyare virtual machines (e.g., a Hardware Virtual Machine or HVM). In otherembodiments, the VM may be aware that it is a virtual machine, and/orthe VM may be implemented as a paravirtualized (PV) VM.

Although shown in FIG. 3 as including a single virtualized device 302,virtualized environment 300 may include a plurality of networked devicesin a system in which at least one physical host executes a virtualmachine. A device on which a VM executes may be referred to as aphysical host and/or a host machine. For example, appliance 200 may beadditionally or alternatively implemented in a virtualized environment300 on any computing device, such as a client 102, server 106 orappliance 200. Virtual appliances may provide functionality foravailability, performance, health monitoring, caching and compression,connection multiplexing and pooling and/or security processing (e.g.,firewall, VPN, encryption/decryption, etc.), similarly as described inregard to appliance 200.

In some embodiments, a server may execute multiple virtual machines 306,for example on various cores of a multi-core processing system and/orvarious processors of a multiple processor device. For example, althoughgenerally shown herein as “processors” (e.g., in FIGS. 1C, 2 and 3), oneor more of the processors may be implemented as either single- ormulti-core processors to provide a multi-threaded, parallel architectureand/or multi-core architecture. Each processor and/or core may have oruse memory that is allocated or assigned for private or local use thatis only accessible by that processor/core, and/or may have or use memorythat is public or shared and accessible by multiple processors/cores.Such architectures may allow work, task, load or network trafficdistribution across one or more processors and/or one or more cores(e.g., by functional parallelism, data parallelism, flow-based dataparallelism, etc.).

Further, instead of (or in addition to) the functionality of the coresbeing implemented in the form of a physical processor/core, suchfunctionality may be implemented in a virtualized environment (e.g.,300) on a client 102, server 106 or appliance 200, such that thefunctionality may be implemented across multiple devices, such as acluster of computing devices, a server farm or network of computingdevices, etc. The various processors/cores may interface or communicatewith each other using a variety of interface techniques, such as core tocore messaging, shared memory, kernel APIs, etc.

In embodiments employing multiple processors and/or multiple processorcores, described embodiments may distribute data packets among cores orprocessors, for example to balance the flows across the cores. Forexample, packet distribution may be based upon determinations offunctions performed by each core, source and destination addresses,and/or whether: a load on the associated core is above a predeterminedthreshold; the load on the associated core is below a predeterminedthreshold; the load on the associated core is less than the load on theother cores; or any other metric that can be used to determine where toforward data packets based in part on the amount of load on a processor.

For example, data packets may be distributed among cores or processesusing receive-side scaling (RSS) in order to process packets usingmultiple processors/cores in a network. RSS generally allows packetprocessing to be balanced across multiple processors/cores whilemaintaining in-order delivery of the packets. In some embodiments, RSSmay use a hashing scheme to determine a core or processor for processinga packet.

The RSS may generate hashes from any type and form of input, such as asequence of values. This sequence of values can include any portion ofthe network packet, such as any header, field or payload of networkpacket, and include any tuples of information associated with a networkpacket or data flow, such as addresses and ports. The hash result or anyportion thereof may be used to identify a processor, core, engine, etc.,for distributing a network packet, for example via a hash table,indirection table, or other mapping technique.

D. Systems and Methods for Providing a Distributed Cluster Architecture

Although shown in FIGS. 1A and 1B as being single appliances, appliances200 may be implemented as one or more distributed or clusteredappliances. Individual computing devices or appliances may be referredto as nodes of the cluster. A centralized management system may performload balancing, distribution, configuration, or other tasks to allow thenodes to operate in conjunction as a single computing system. Such acluster may be viewed as a single virtual appliance or computing device.FIG. 4 shows a block diagram of an illustrative computing device clusteror appliance cluster 400. A plurality of appliances 200 or othercomputing devices (e.g., nodes) may be joined into a single cluster 400.Cluster 400 may operate as an application server, network storageserver, backup service, or any other type of computing device to performmany of the functions of appliances 200 and/or 205.

In some embodiments, each appliance 200 of cluster 400 may beimplemented as a multi-processor and/or multi-core appliance, asdescribed herein. Such embodiments may employ a two-tier distributionsystem, with one appliance if the cluster distributing packets to nodesof the cluster, and each node distributing packets for processing toprocessors/cores of the node. In many embodiments, one or more ofappliances 200 of cluster 400 may be physically grouped orgeographically proximate to one another, such as a group of bladeservers or rack mount devices in a given chassis, rack, and/or datacenter. In some embodiments, one or more of appliances 200 of cluster400 may be geographically distributed, with appliances 200 notphysically or geographically co-located. In such embodiments,geographically remote appliances may be joined by a dedicated networkconnection and/or VPN. In geographically distributed embodiments, loadbalancing may also account for communications latency betweengeographically remote appliances.

In some embodiments, cluster 400 may be considered a virtual appliance,grouped via common configuration, management, and purpose, rather thanas a physical group. For example, an appliance cluster may comprise aplurality of virtual machines or processes executed by one or moreservers.

As shown in FIG. 4, appliance cluster 400 may be coupled to a firstnetwork 104(1) via client data plane 402, for example to transfer databetween clients 102 and appliance cluster 400. Client data plane 402 maybe implemented a switch, hub, router, or other similar network deviceinternal or external to cluster 400 to distribute traffic across thenodes of cluster 400. For example, traffic distribution may be performedbased on equal-cost multi-path (ECMP) routing with next hops configuredwith appliances or nodes of the cluster, open-shortest path first(OSPF), stateless hash-based traffic distribution, link aggregation(LAG) protocols, or any other type and form of flow distribution, loadbalancing, and routing.

Appliance cluster 400 may be coupled to a second network 104(2) viaserver data plane 404. Similarly to client data plane 402, server dataplane 404 may be implemented as a switch, hub, router, or other networkdevice that may be internal or external to cluster 400. In someembodiments, client data plane 402 and server data plane 404 may bemerged or combined into a single device.

In some embodiments, each appliance 200 of cluster 400 may be connectedvia an internal communication network or back plane 406. Back plane 406may enable inter-node or inter-appliance control and configurationmessages, for inter-node forwarding of traffic, and/or for communicatingconfiguration and control traffic from an administrator or user tocluster 400. In some embodiments, back plane 406 may be a physicalnetwork, a VPN or tunnel, or a combination thereof.

E. Service Graph Based Platform and Technology

Referring now to FIGS. 5A-5C, implementation of systems and methods fora service graph based platform and technology will be discussed. Aservice graph is a useful technology tool for visualizing a service byits topology of components and network elements. Services may be made upof microservices with each microservice handling a particular set of oneor more functions of the service. Network traffic may traverse theservice topology such as a client communicating with a server to accessservice (e.g., north-south traffic). Network traffic of a service mayinclude network traffic communicated between microservices of theservices such as within a data center or between data centers (e.g.,east-west traffic). The service graph may be used to identify andprovide metrics of such network traffic of the service as well asoperation and performance of any network elements used to provide theservice. Service graphs may be used for identifying and determiningissues with the service and which part of the topology causing theissue. Services graphs may be used to provide for administering,managing and configuring of services to improve operational performanceof such services.

Referring to FIG. 5A, an implementation of a system for service graphs,such as those illustrated in FIG. 5B, will be described. A device on anetwork, such as a network device 200, 205 or a server 206, may includea service graph generator and configurator 512, a service graph display514 and service graph monitor 516. The service graph generator andconfigurator 512 (generally referred to as service graph generator 512),may identify a topology 510 of elements in the network and metrics 518related to the network and the elements, to generate and/or configureservice graphs 505A-N. The service graphs 505A-N (generally referred toas service graphs 505) may be stored in one or more databases, with anyof the metric 518′ and/or topology 510′. The service graphic generator512 may generate data of the service graphs 505 to be displayed in adisplay or rendered form such as via a user interface, generatedreferred to as service graph display 514. Service graph monitor 516 maymonitor the network elements of the topology and service for metrics 518to configure and generate a service graph 505 and/or to updatedynamically or in real-time the elements and metrics 518 of orrepresented by a service graph display 514.

The topology 510 may include data identifying, describing, specifying orotherwise representing any elements used, traversed in accessing any oneor more services or otherwise included with or part of such one or moreservices, such as any of the services 275 described herein. The topologymay include data identifying or describing any one or more networks andnetwork elements traversed to access or use the services, including anynetwork devices, routers, switches, gateways, proxies, appliances,network connections or links, Internet Service Providers (ISPs), etc.The topology may include data identifying or describing any one or moreapplications, software, programs, services, processes, tasks orfunctions that are used or traversed in accessing a service. In someimplementations, a service may be made up or include multiplemicroservices, each providing one or more functions, functionality oroperations of or for a service. The topology may include dataidentifying or describing any one or more components of a service, suchas programs, functions, applications or microservices used to providethe service. The topology may include parameters, configuration dataand/or metadata about any portion of the topology, such as any elementof the topology.

A service graph 505 may include data representing the topology of aservice 275, such any elements making up such a service or used by theservice, for example as illustrated in FIG. 5B. The service graph may bein a node base form, such as graphical form of nodes and each noderepresenting an element or function of the topology of the service. Aservice graph may represent the topology of a service using nodesconnected among each other via various connectors or links, which may bereferred to as arcs. The arc may identify a relationship betweenelements connected by the arc. Nodes and arcs may be arranged in amanner to identify or describe one or more services. Nodes and arcs maybe arranged in a manner to identify or describe functions provided bythe one or more services. For example, a function node may represent afunction that is applied to the traffic, such as a transform (SSLtermination, VPN gateway), filter (firewalls), or terminal (intrusiondetection systems). A function within the service graph might use one ormore parameters and have one or more connectors.

The service graph may include any combination of nodes and arcs torepresent a service, topology or portions thereof. Nodes and arcs may bearranged in a manner to identify or describe the physical and/or logicaldeployment of the service and any elements used to access the service.Nodes and arcs may be arranged in a manner to identify or describe theflow of network traffic in accessing or using a service. Nodes and arcsmay be arranged in a manner to identify or describe the components of aservice, such as multiple microservices that communicate with each otherto provide functionality of the service. The service graph may be storedin storage such as a database in a manner in order for the service graphgenerator to generate a service graph in memory and/or render theservice graph in display form 514.

The service graph generator 512 may include an application, program,library, script, service, process, task or any type and form ofexecutable instructions for establishing, creating, generating,implementing, configuring or updating a service graph 505. The servicegraph generator may read and/or write data representing the servicegraph to a database, file or other type of storage. The service graphgenerator may comprise logic, functions and operations to construct thearrangement of nodes and arcs to have an electronic representation ofthe service graph in memory. The service graph generator may read oraccess the data in the database and store data into data structures andmemory elements to provide or implement a node based representation ofthe service graph that can be updated or modified. The service graphgenerator may use any information from the topology to generate aservice graph. The service graph generator may make network calls or usediscovery protocols to identify the topology or any portions thereof.The service graph generator may use any metrics, such as in memory orstorage or from other devices, to generate a service graph. The servicegraph generator may comprise logic, functions and operations toconstruct the arrangement of nodes and arcs to provide a graphical orvisual representation of the service graph, such as on a user interfaceof a display device. The service graph generator may comprise logic,functions and operations to configure any node or arc of the servicegraph to represent a configuration or parameter of the corresponding orunderlying element represented by the node or arc. The service graphgenerator may comprise logic, functions and operations to include,identify or provide metrics in connection with or as part of thearrangement of nodes and arcs of the service graph display. The servicegraph generator may comprise an application programming interface (API)for programs, applications, services, tasks, processes or systems tocreate, modify or interact with a service graph.

The service graph display 514 may include any graphical or electronicrepresentation of a service graph 505 for rendering or display on anytype and form of display device. The service graph display may berendered in visual form to have any type of color, shape, size or othergraphical indicators of the nodes and arcs of the service graph torepresent a state or status of the respective elements. The servicegraph display may be rendered in visual form to have any type of color,shape, size or other graphical indicators of the nodes and arcs of theservice graph to represent a state or status of one or more metrics. Theservice graph display may comprise any type of user interface, such as adashboard, that provides the visual form of the service graph. Theservice graph display may include any type and form of user interfaceelements to allow users to interact, interface or manipulate a servicegraph. Portion of the service graph display may be selectable toidentify information, such as metrics or topology information about thatportion of the service graph. Portions of the service graph display mayprovide user interface elements for users to take an action with respectto the service graph or portion thereof, such as to modify aconfiguration or parameter of the element.

The service graph monitor 518 may include an application, program,library, script, service, process, task or any type and form ofexecutable instructions to receive, identify, process metrics 518 of thetopology 510. The service graph monitor 518 monitors via metrics 518 theconfiguration, performance and operation of elements of a service graph.The service graph monitor may obtain metrics from one or more devices onthe network. The service graph monitor may identify or generate metricsfrom network traffic traversing the device(s) of the service graphmonitor. The service graph monitor may receive reports of metrics fromany of the elements of the topology, such as any elements represented bya node in the service graph. The service graph monitor may receivereports of metrics from the service. From the metrics, the service graphmonitor may determine the state, status or condition of an elementrepresented in or by the service graph, such as by a node of the servicegraph. From the metrics, the service graph monitor may determine thestate, status or condition of network traffic or network connectedrepresented in or by the service graph, such as by an arc of the servicegraph. The service graph generator and/or service graph monitor mayupdate the service graph display, such as continuously or inpredetermined frequencies or event based, with any metrics or anychanged in the state, status or condition of a node or arc, elementrepresented by the node or arc, the service, network or network traffictraversing the topology.

The metrics 518, 518′ (generally referred to as metrics 518) may bestored on network device in FIG. 5B, such as in memory or storage. Themetrics 518, 518′ may be stored in a database on the same device or overa network to another device, such as a server. Metrics may include anytype and form of measurement of any element of the topology, service ornetwork. Metrics may include metrics on volume, rate or timing ofrequests or responses received, transmitted or traversing the networkelement represented by the node or arc. A Metrics may include metrics onusage of a resource by the element represented by the node or arc, suchas memory, bandwidth. Metrics may include metrics on performance andoperation of a service, including any components or microservices of theservice, such as rate of response, transaction responses and times.

FIG. 5B illustrates an implementation of a service graph in connectionwith microservices of a service in view of east-west network traffic andnorth-south network traffic. In brief overview, clients 102 may accessvia one or more networks 104 a data center having servers 106A-106N(generally referred to as servers 106) providing one or more services275A-275N (generally referred to as services 275). The services may bemade up multiple microservices 575A-575N (generally referred to asmicroservice or micro service 575). Service 275A may includemicroservice 575A and 575N while service 275B may include microservice575B and 575N. The microservices may communicate among the microservicesvia application programming interface (APIs). A service graph 505 mayrepresent a topology of the services and metrics on network traffic,such as east-west network traffic and north-south network traffic.

North-south network traffic generally describes and is related tonetwork traffic between clients and servers, such as client via networks104 to servers of data center and/or servers to clients via network 104as shown in FIG. 5B. East-west network traffic generally describes andis related to network traffic between elements in the data centers, suchas data center to data center, server to server, service to service ormicroservice to microservice.

A service 275 may comprise microservices 575. In some aspects,microservices is a form of service-oriented architecture style whereinapplications are built as a collection of different smaller servicesrather than one whole or singular application (referred to sometimes asa monolithic application). Instead of a monolithic application, aservice has several independent applications or services (e.g.,microservices) that can run on their own and may be created usingdifferent coding or programming languages. As such, a larger server canbe made up of simpler and independent programs or services that areexecutable by themselves. These smaller programs or services are groupedtogether to deliver the functionalities of the larger service. In someaspects, a microservices based service structures an application as acollection of services that may be loosely coupled. The benefit ofdecomposing a service into different smaller services is that itimproves modularity. This makes the application or service easier tounderstand, develop, test, and be resilient to changes in architectureor deployment.

A microservice includes an implementation of one or more functions orfunctionality. A microservice may be a self-contained piece of businessfunction(s) with clear or established interfaces, such as an applicationprogramming interface (API). In some implementations, a microservice maybe deployed in a virtual machine or a container. A service may use oneor more functions on one microservice and another one or more functionsof a different microservice. In operating or executing a service, onemicroservice may make API calls to another microservice and themicroservice may provide a response via an API call, event handler orother interface mechanism. In operating or executing a microservice, themicroservice may make an API call to another microservice, which in itsoperation or execution, makes a call to another microservice, and so on.

The service graph 505 may include multiple nodes 570A-N connected orlinked via one or more or arcs 572A-572N. The service graph may havedifferent types of nodes. A node type may be used to represent aphysical network element, such as a server, client, appliance or networkdevice. A node type may be used to represent an end point, such as aclient or server. A node type may be used to represent an end pointgroup, such as group of clients or servers. A node type may be used torepresent a logical network element, such as a type of technology,software or service or a grouping or sub-grouping of elements. A nodetype may be used to represent a functional element, such asfunctionality to be provided by an element of the topology or by theservice.

The configuration and/or representation of any of the nodes 570 mayidentify a state, a status and/or metric(s) of the element representedby the node. Graphical features of the node may identify or specify anoperational or performance characteristic of the element represented bythe node. A size, color or shape of the node may identify an operationalstate of whether the element is operational or active. A size, color orshape of the node may identify an error condition or issue with anelement. A size, color or shape of the node may identify a level ofvolume of network traffic, a volume of request or responses received,transmitted or traversing the network element represented by the node. Asize, color or shape of the node may identify a level of usage of aresource by the element represented by the node, such as memory,bandwidth, CPU or storage. A size, color or shape of the node mayidentify relativeness with respect to a threshold for any metricassociated with the node or the element represented by the node.

The configuration and/or representation of any of the arcs 572 mayidentify a state, status and/or metric(s) of the element represented bythe arc. Graphical features of the arc may identify or specify anoperational or performance characteristic of the element represented bythe arc. A size, color or shape of the node may identify an operationalstate of whether the network connection represented by the arc isoperational or active. A size, color or shape of the arc may identify anerror condition or issue with a connection associated with the arc. Asize, color or shape of the arc may identify an error condition or issuewith network traffic associated with the arc. A size, color or shape ofthe arc may identify a level of volume of network traffic, a volume ofrequest or responses received, transmitted or traversing the networkconnection or link represented by the arc. A size, color or shape of thearc may identify a level of usage of a resource by network connection ortraffic represented by the arc, such as bandwidth. A size, color orshape of the node may identify relativeness with respect to a thresholdfor any metric associated with the arc. In some implementations, ametric for the arc may include any measurement of traffic volume perarc, latency per arc or error rate per arc.

Referring now to FIG. 5C, an implementation of a method for generatingand displaying a service graph will be described. In brief overview ofmethod 580, at step 582, a topology is identified, such as for aconfiguration of one or more services. At step 584, the metrics ofelements of the topology, such as for a service are monitored. At step586, a service graph is generated and configured. At step 588, a servicegraph is displayed. At step 590, issues with configuration, operationand performance of a service or the topology may be identified ordetermined.

At step 582, a device identifies a topology for one or more services.The device may obtain, access or receive the topology 510 from storage,such as a database. The device may be configured with a topology for aservice, such as by a user. The device may discover the topology orportions therefore via one more discovery protocols communicated overthe network. The device may obtain or receive the topology or portionsthereof from one or more other devices via the network. The device mayidentify the network elements making up one or more services. The devicemay identify functions providing the one or more services. The devicemay identify other devices or network elements providing the functions.The device may identify the network elements for north-west traffic. Thedevice may identify the network elements for east-west traffic. Thedevice may identify the microservices providing a service. In someimplementations, the service graph generator establishes or generates aservice graph based on the topology. The service graph may be stored tomemory or storage.

At step 584, the metrics of elements of the topology, such as for aservice are monitored. The device may receive metrics about the one ormore network elements of the topology from other devices. The device maydetermine metrics from network traffic traversing the device. The devicemay receive metrics from network elements of the topology, such as viareports or events. The device may monitor the service to obtain orreceive metrics about the service. The metrics may be stored in memoryor storage, such as in association with a corresponding service graph.The device may associate one or more of the metrics with a correspondingnode of a service graph. The device may associate one or more of themetrics with a corresponding arc of a service graph. The device maymonitor and/or obtain and/or receive metrics on a scheduled orpredetermined frequency. The device may monitor and/or obtain and/orreceive metrics on a continuous basis, such as in real-time ordynamically when metrics change.

At step 586, a service graph is generated and configured. A servicegraph generator may generate a service graph based at least on thetopology. A service graph generator may generate a service graph basedat least on a service. A service graph generator may generate a servicegraph based on multiple services. A service graph generator may generatea service graph based at least on the microservices making up a service.A service graph generator may generate a service graph based on a datacenter, servers of the data center and/or services of the data center. Aservice graph generator may generate a service graph based at least oneast-west traffic and corresponding network elements. A service graphgenerator may generate a service graph based at least on north-southtraffic and corresponding network elements. A service graph generatormay configure the service graph with parameters, configuration data ormeta-data about the elements represented by a node or arc of the servicegraph. The service graph may be generated automatically by the device.The service graph may be generated responsive to a request by a user,such as via a comment to or user interface of the device.

At step 588, a service graph is displayed. The device, such as viaservice graph generator, may create a service graph display 514 to bedisplayed or rendered via a display device, such as presented on a userinterface. The service graph display may include visual indicators orgraphical characteristics (e.g., size, shape or color) of the nodes andarcs of the service graph to identify status, state or condition ofelements associated with or corresponding to a node or arc. The servicegraph display may be displayed or presented via a dashboard or otheruser interface in which a user may monitor the status of the service andtopology. The service graph display may be updated to show changes inmetrics or the status, state and/or condition of the service, thetopology or any elements thereof. Via the service graph display, a usermay interface or interact with the service graph to discoverinformation, data and details about any of the network elements, such asthe metrics of a microservice of a service.

At step 590, issues with configuration, operation and performance of aservice or the topology may be identified or determined. The device maydetermine issues with the configuration, operation or performance of aservice by comparing metrics of the service to thresholds. The devicemay determine issues with the configuration, operation or performance ofa service by comparing metrics of the service to previous or historicalvalues. The device may determine issues with the configuration,operation or performance of a service by identifying a change in ametric. The device may determine issues with the configuration,operation or performance of a service by identifying a change in astatus, state or condition of a node or arc or elements represented bythe node or arc. The device may change the configuration and/orparameters of the service graph. The device may change the configurationof the service. The device may change the configuration of the topology.The device may change the configuration of network elements making upthe topology or the service. A user may determine issues with theconfiguration, operation or performance of a service by reviewing,exploring or interacting with the service graph display and any metrics.The user may change the configuration and/or parameters of the servicegraph. The user may change the configuration of the service. The usermay change the configuration of the topology. The device may change theconfiguration of network elements making up the topology or the service.

F. Systems and Methods for Identifying Security Issues with APIs andMicroservices of a Service Graph

The implementations described herein may provide a tool for identifyingsecurity issues and applying security policies to the service(s) and/ormicroservices. Rather than a user (such as an administrator) reactivelydiagnosing security incidents, the systems and methods described hereinmay provide a tool by which the user can proactively monitor the use ofthe services and microservices for security issues and control the userof such microservices and services via policies. The systems and methodsallow API granular policy control to determine which APIs may be grantedor denies access based on a variety of criteria, such as but not limitedto the source of the request, the specific API being called, temporalconditions, geography and so forth. The user can identify securityconcerns or issues on a per API basis. The implementations describedherein may increase the efficiency of monitoring and controllingmicroservices corresponding to a service by providing a tool by whichpolicies can be applied to APIs to allow or grant access to the API tothe requestor. The implementations described herein may decreasedowntime as a result of security incidents by providing a faster andmore flexible mechanism by which an administrator can identify andremediate security issues at the API level. Various other benefits andadvantages of the embodiments described herein are further detailedbelow.

Referring now to FIGS. 5A-5C along with FIG. 6A-6B, an illustrativeimplementation of a system and method for identifying security issuesand applying policies for secure use of APIs across microservices aredescribed. The systems and methods may be applied to APIs request madeacross network links to microservices to identify APIs requests that donot meet the policies established for the system. Use of these systemsand methods may identify APIs requests from sources that are notintended users of such APIs or that may be used in a manner or a timenot intended for the enterprise or entity deploying the use of suchservices. The policies provide a flexible and configurable mechanism tomonitor and control the use of services and their microservices on agranularity of API requests.

Referring now to FIG. 6A, an example implantation of a system fordeploying and using policies applied to APIs requests for services andtheir microservices is depicted. The system may include a network device200, such as the network device 200 of FIG. 5A, implemented with apolicy manager 604 and policies 605. The network device may be incommunication with any one or more elements of a topology of a servicegraph 505, such as device that is intermediary to requestors of APIcalls and microservices or services receiving and responding to thoseAPI calls. The policy manager may apply policies on API calls tomicroservices or between microservices, such as the microservices ofservices of a topology of a service graph 505. For example, the policymanager 604 may apply policy 605A to API call A from an external sourceto microservice 575N to determine whether or not to allow or deny theaccess to the API A of the microservice. The policy manager 604 mayapply policy 605N to API call N between microservice MS 575N andmicroservice 575B to determine whether or not to allow or deny theaccess to the API N between the microservices.

The policy manager 604 may comprise an application, program, service,task, script, process, and/or any type and form of executableinstructions to apply one or more policies 604 to one or more requests.In some embodiments, the policy manager 604 may be or include the policyengine 236 described elsewhere herein. The policy manager 604 mayimplement logic, rules and/or functionality to apply one or morepolicies 605 to a request such as to determine if the request is allowedor granted and how to process the request accordingly. The policymanager 604 may be implemented to apply one or more policies 605 to anyAPI calls to any service or microservice of a system, such as theservices or microservice represented by a service graph 505.

The policy manager 604 may be responsive to the service graph monitor516. For example, the service graph monitor may monitor network trafficfor API calls. The service graph monitor may identify API calls thatmatch policies of the policy manager. The service graph monitor maycall, trigger or activate the policy manager responsive to an API call,such as an API call matching or corresponding to a policy. The policymanager may instruct or communicate with the service graph monitor toidentify which API calls to monitor based on the policies implementedfor the policy manager.

A policy 605 may be configured to be used by the policy manager 604 toidentify API calls and whether to allow or deny the API call to aservice or microservice. The policy 605 may include one or moreparameters configured to identify a name of a request, such as the nameof the API call and whether the request is allowed or denied. The policy605 may be configured with one or more rules for identification ofsources or requestors that may be allowed or denies use of the API oraccess to the API of the service or microservice. The policy 604 may beconfigured with a rule, parameter or setting to indicate or instruct thedevice to allow or deny use of the API based on geography. The policy604 may be configured with a rule, parameter or setting to indicate orinstruct the device to allow or deny use of the API based on date and/ortime of the API call. The policy 604 may be configured with a rule,parameter or setting to indicate or instruct the device to allow or denyuse of the API based on user making the API call. The policy 604 may beconfigured with a rule, parameter or setting to indicate or instruct thedevice to allow or deny use of the API based on entity or enterprisemaking the API call.

The policy 604 may be configured with a rule, parameter or setting toindicate or instruct the device to allow or deny use of the API based onthe network link being used for the API call. The policy 604 may beconfigured with a rule, parameter or setting to indicate or instruct thedevice to allow or deny use of the API based on whether the source ofthe API call is from a network different than the network of the serviceor microservice providing the API.

The policy 604 may be configured with a rule, parameter or setting toindicate or instruct the device to allow or deny use of the API based onmetadata about the device of the requestor. The policy 604 may beconfigured with a rule, parameter or setting to indicate or instruct thedevice to allow or deny use of the API based on an identifier of aserver, service or microservice making the API call. The policy 604 maybe configured with a rule, parameter or setting to indicate or instructthe device to allow or deny use of the API based on identifiers of therequestor and the service or microservices being requested, such as anAPI call between a server, service or microservice requesting the APIcall and the server, service or microservice that is receiver of orproviding the API call. The policy 604 may be configured with a rule,parameter or setting to indicate or instruct the device to allow or denyuse of the API based on one or more parameters or values being used orpassed by the API call.

Referring now to FIG. 6B, described is an illustrative implementation ofa method for applying a policy to an application programming interfaceof a microservice. In brief overview of method 620, at step 625, adevice receives a request to access the API. At step 630, the deviceidentifies a policy for accessing an application programming interface(API) of a microservice which identifies which other microservices mayaccess the API. At step 635, the device applies the policy to therequest. At step 640, the device allows or prevents the request fromaccessing the API based on the policy.

In further detail, at step 625, the device receives a request to accessthe API of the microservice. The device may receive a request from aclient device. The device may receive a request from a server. Thedevice may receive a request from a microservice. The device may receivea request from a server, servers, or microservices in a data center. Thedevice may receive a request from another API. The device may receive arequest from a plurality of microservices. The method may includereceiving, by the device, a request from a source other than theplurality of microservices to access the API of the microservice. Thesource may be a device external to a network of the plurality ofmicroservices. The device may receive a request over a network. Therequest may traverse the device onto the destination of the API call,such as a service or microservice. The device may intercept and processthe request.

At step 630, the device identifies a policy for accessing the API callof the request. The device may identify a policy based on the IP addressof the request. The device may identify a policy based on the identityof the user submitting the request. The device may identify a policybased on the entity with which the request is associated. For example,the device may identify a policy based on the company from which therequest is submitted or for the entity that provides the API via theservice or microservice. The device may identify the policy based on theAPI. For instance, a device may select a policy based on theidentification of the API. The device may select a policy based on thename of the API. For instance, the device may select a policy thatallows requests containing a string in the request to access APIs with amatching string in the API name. The device may identify the policybased on the API being part of a group of APIs. The device may identifya policy based on a characteristic of the API, such as any parameters orvalues used by the API.

The device may select a policy based on the source of the request. Forinstance, the device may select a policy based on if the requestoriginates internal to the device network. For instance, the device mayselect a policy based on if the request originates outside of afirewall. For instance, the device may select a policy based on if therequest originates from a trusted network.

The device may select a policy based on the geographic origin of therequest or of the provider of the API or microservice. For instance, thedevice may select a policy based on if the request is local. The devicemay select a policy based on if the request originates from a restrictedcountry or location. The device may select a policy based on if theorigin of the request is known.

A device may select a policy based on the frequency of a request over atimespan. For instance, a device may select a more stringent policy ifthe frequency of the request is too high.

The device may select a policy based on a permission field in the API.For example, the device may select a more stringent policy for an APIwith a permission field classifying the API as restricted. For example,a device may select a policy based on the source of the request for anAPI with a permission field classifying the API as internal access only.

The device may select the policy based on any combination of items orentities, including any combination described herein, such as name ofAPI, API parameters(d) identity of user, identify of entity, devicemetadata, geography of requestor or API provider, network type, networkidentifier, temporal criteria, etc.

At step 635, the device applies the policy to the API call of therequest. The policy may identify an action to take for the API callbased on one or more rules of the policy. The policy may be applied byusing content of the request or API call in one or more rules of thepolicy. The policy may be applied by using metadata of the requestor ordestination of the request, such as the service or microserviceproviding the API, in one or more rules of the policy. The policy may beapplied by using metadata about any devices associated with the requestor API in one or more rules of the policy. The one or more rules of thepolicy if result in being true may trigger the action specified by thepolicy such as allow or deny the API request. The one or more rules ofthe policy if result in being false may trigger the action specified bythe policy such as allow or deny the API request. The device mayidentify a request to access the API of the microservice from a secondmicroservice as allowed, responsive to the policy.

At step 640, the device allows or prevents the request from accessingthe API based on the policy. The application of the policy may deny therequest. The application of the policy may allow the request. Theapplication of the policy may place the request in a pending or waitstate. For instance, the policy may place requests designated as lowurgency requests or low priority requests in a wait state during periodsof high utilization. The request may be taken out of the wait state whenmore computing resources are available. For example, the application ofthe policy may place the request in a wait state during period of lowresources, for instances if the frequency of request is high or therequest requires a significant amount of resources.

The device may blocking the request responsive to the policy. The devicemay forward an allowed request to the microservice.

If the device allows the request, the device may log the request asallowed. If the device denies the request, the device may log therequest as denied. If the device puts the request in a wait state, thedevice may log the request as waiting. The device may queue a waitingrequest and allow the request to access the API at the appropriate timedetermined by the policy.

The device may monitor, collect and store metrics of API calls andmetrics on the policies being triggered by or used on the API calls,including any information used by the rules of the policies. The devicemay display metrics of API calls and metrics on the policies andinformation on the policies in an associated service graph such as via aservice graph display.

The method may include generating, by the device, a service graphcomprising a plurality of microservices and one or more links betweenone or more microservices and the microservice. The service graph mayinclude the plurality of microservices and one or more links allowed bythe policy between one of the other microservices and the microservice.The device may display the service graph with an identification of theone or more links to the microservice allowed by the policy. The devicemay display the service graph identifying one or more device actionsresponsive to the policy and in association with a corresponding link tothe microservice.

The device may display the service graph with one or more user interfaceelements. The user interface elements may allow a user to instruct thedevice to take an action with respect to the link with respect to one ormore requests. The action may be quarantining, preventing access,releasing, or adding a second policy.

Various elements, which are described herein in the context of one ormore embodiments, may be provided separately or in any suitablesubcombination. For example, the processes described herein may beimplemented in hardware, software, or a combination thereof. Further,the processes described herein are not limited to the specificembodiments described. For example, the processes described herein arenot limited to the specific processing order described herein and,rather, process blocks may be re-ordered, combined, removed, orperformed in parallel or in serial, as necessary, to achieve the resultsset forth herein.

It will be further understood that various changes in the details,materials, and arrangements of the parts that have been described andillustrated herein may be made by those skilled in the art withoutdeparting from the scope of the following claims.

We claim:
 1. A method for applying a policy to an applicationprogramming interface of a microservice, the method comprising: (a)identifying, by a device intermediary to a plurality of microservices, apolicy for accessing an application programming interface (API) of amicroservice of a plurality of microservices, wherein the policyidentifies which other of the plurality of microservices may access theAPI of the microservice; (b) receiving, by the device, one or morerequests from one or more microservices of the plurality ofmicroservices to access the API of the microservice; (c) determining, bythe device responsive to the policy, that at least one request of theone or more requests is from a microservice not allowed to access theAPI of the microservice; and (d) preventing, by the device responsive tothe determination, access to the microservice by the at least onerequest.
 2. The method of claim 1, further comprising receiving, by thedevice, a request from a source other than the plurality ofmicroservices to access the API of the microservice.
 3. The method ofclaim 2, wherein the source comprises a device external to a network ofthe plurality of microservices.
 4. The method of claim 2, furthercomprising blocking, by the device, the request responsive to thepolicy.
 5. The method of claim 1, further comprising identifying, by thedevice responsive to the policy, that a second request to access the APIof the microservice is from a second microservice identified as allowedto access the microservice.
 6. The method of claim 5, further comprisingforwarding, by the device, the second request to the microservice. 7.The method of claim 1, further comprising generating, by the device, aservice graph comprising the plurality of microservices and one or morelinks between the one or more of the other of the plurality ofmicroservices and the microservice.
 8. The method of claim 7, furthercomprising displaying, by the device, the service graph withidentification of one or more actions of the device responsive to thepolicy in association with a corresponding link to the microservice. 9.The method of claim 8, further comprising displaying, by the device, theservice graph with one or more user interface elements to take an actionwith respect to the link with respect to the one or more requests, theaction comprising one of quarantining, preventing access, releasing oradding a second policy.
 10. The method of claim 1, further comprisinggenerating, by the device, a service graph comprising the plurality ofmicroservices and one or more links allowed by the policy between theone or more of the other of the plurality of microservices and themicroservice and displaying, by the device, the service graph withidentification of the one or more links to the microservice allowed bythe policy
 11. A system for applying a policy to an applicationprogramming interface of a microservice, the system comprising: a devicecomprising one or more processors, coupled to memory, and intermediaryto a plurality of microservices, the device configured to: identify apolicy for accessing an application programming interface (API) of amicroservice of a plurality of microservices, wherein the policyidentifies which other of the plurality of microservices may access theAPI of the microservice; wherein the device is configured receive one ormore requests from one or more microservices of the plurality ofmicroservices to access the API of the microservice; determine,responsive to the policy, that at least one request of the one or morerequests is from a microservice not allowed to access the API of themicroservice; and prevent, responsive to the determination, access tothe microservice by the at least one request.
 12. The system of claim11, wherein the device is further configured to receive a request from asource other than the plurality of microservices to access the API ofthe microservice.
 13. The system of claim 12, wherein the sourcecomprises a device external to a network of the plurality ofmicroservices.
 14. The system of claim 12, wherein the device is furtherconfigured to block the request responsive to the policy.
 15. The systemof claim 11, wherein the device is further configured to identify,responsive to the policy, that a second request to access the API of themicroservice is from a second microservice identified as allowed toaccess the microservice.
 16. The system of claim 15, wherein the deviceis further configured to forward the second request to the microservice.17. The system of claim 11, wherein the device is further configured togenerate a service graph comprising the plurality of microservices andone or more links between the one or more of the other of the pluralityof microservices and the microservice.
 18. The system of claim 17,wherein the device is further configured to display the service graphwith identification of one or more actions of the device responsive tothe policy in association with a corresponding link to the microservice.19. The system of claim 11, wherein the device is further configured todisplay the service graph with one or more user interface elements totake an action with respect to the link with respect to the one or morerequests, the action comprising one of quarantining, preventing access,releasing or adding a second policy.
 20. The method of claim 1, whereinthe device is further configured to generate a service graph comprisingthe plurality of microservices and one or more links allowed by thepolicy between the one or more of the other of the plurality ofmicroservices and the microservice and display the service graph withidentification of the one or more links to the microservice allowed bythe policy